Inconsistent packages.lock.json after updating global.json from 3.1.405 to 5.0.102 #10456
Comments
|
The extra package reference is brought by the SDK in https://github.com/dotnet/sdk/blob/61e32e28afb1ab622e96625aa80cebc78373554f/src/Tasks/Microsoft.NET.Build.Tasks/targets/Microsoft.NET.Sdk.FrameworkReferenceResolution.targets#L359-L377. Can you try setting Not sure why it's being added at this point, but we can dig more if setting the property fixes it. |
|
Setting AutomaticallyUseReferenceAssemblyPackages to false stopped the inconsistent lock file modifications.
I'm still testing some of our other environments, though it did resolve the first couple of environments that were hitting deterministic updates of existing files not present when using the earlier sdk version.
|
|
Sounds great. We can move this to SDK team so they can help us figure out this changed. |
|
We started automatically referencing the reference assembly packages as needed in the .NET 5 SDK: dotnet/sdk#10981 These references are only supposed to be added when the corresponding targeting pack is not installed in Program Files. So I would expect the build to fail for the 3.1 SDK if the targeting pack was not installed, and I would expect the lock files to be the same with the 5.0 SDK if both environments have the targeting pack installed. |
|
In most of the examples, these were for projects targeting down level full framework versions (i.e. 4.6.2, 4.7, etc...). We do have packages containing the relevant targeting packs that are correctly found in our build environment via shared logic,, though that doesn't seem to be a consideration for how the lock files are being updated (and the available targeting packs installed to Program Files varies across dev machines with an even more minimal setup on lab/cloud machines). Our main concern is that we want deterministic lock files based on the source state of the project. Turning off the the functionality via AutomaticallyUseReferenceAssemblyPackages returns us to the earlier behavior. If there were another option to always add the reference version to the lock file (regardless of the Program Files installed state), that would also work for us. |
|
Why not use Worth understanding why: Specifically focusing on @breidikl's comment:
|
|
The .NET Framework targeting pack packages can be referenced manually, either in an SDK-style project or in a classic project. So the NuGet packages have .targets files that need to be imported which tell MSBuild where to find the reference assemblies. Also, the Microsoft.NETFramework.ReferenceAssemblies package has version-specific dependencies on the packages which deliver the reference assemblies for each framework. If you want to use these packages and want stable lock files, you should be able to simply add an explicit package reference to the Microsoft.NETFramework.ReferenceAssemblies package. |
nkolev92
added
Area:RestoreRepeatableBuild
|
Related to #9195. We discussed this during our sync and considered a few alternatives. Here's some of those notes + my personal answers to the 2 ideas/2 open questions.
I want to reiterate a point brought in the above comments. @breidikl What do you think about the above approach of the SDK not adding the targeting pack when using lock files? Would you prefer to add the targeting pack reference yourself instead? |
|
@nkolev92 Our ultimate goal is for our builds to be deterministic and repeatable based on the state of our sources, regardless of what is installed on the machine (and eventually regardless of platform being used to do the builds). Having the ability to audit the list of required packages from the source state (contained in the lock file) is also helpful. In our case we already have custom logic that resolves out targeting pack content to packages available in our environments, which means we don't need to list them explicitly in the lock file (handled via some package boostrapping that's not specific to msbuild/dotnet). So for now we've disabled AutomaticallyUseReferenceAssemblyPackages, which has unblocked folks in our org that wanted to target .Net 5. Failing and asking users to explicitly add reference packages when needed could also work for our case, assuming that would be reflected in the lock file and doesn't vary machine to machine for the same sources. Having an option to automatically add the all the references based on targets regardless of the install state would also satisfy our concerns. Adding more implicit packages not listed in the lock files would not be desirable from our perspective. We're still working around the issue described at #7724 to add in the correct list of implicit runtime identifiers packages for our environments. |
nkolev92
added
the
Category:Quality Week
Details about Problem
Depending on what is installed on the machine, running restore on the same project will result in different packages.lock.json files.
Specifically we use the following command on our builds:
If the build fails with NU1004 (and we're not in an automated build environment), we'll re-run restore without --locked-mode to update the lock file and rebuild.
The problem is that the lock files are failing and being updated for differences in what is installed on the machine. For example, on our dev environments with Visual Studio installed, the lock file is smaller while in our more minimal environments without VS are adding additional sections similar to the following:
Using the new lock file in the other environment then fails and updating the lock file in that environment then removes the new sections. There is also variability in the dev environments based on the features being used.
This problem did not occur when using sdk version 3.1.405 in global.json (when we would get a consistent lock file just based on the project), and only started after changing the sdk version to 5.0.102.
The text was updated successfully, but these errors were encountered: